"Fraudulent transactions have nothing to do with the legitimate account holders. Criminals impersonate legitimate users to financial institutions. That means that any solution can't involve the account holders. That leaves only one reasonable answer: financial institutions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions...

If you think this won't work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They're not hurting for business; and they're not drowning in fraud, either. They've developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They've pushed most of the actual costs onto the merchants. And almost no security centers around trying to authenticate the cardholder...

That's an important lesson. Identity theft solutions focus much too much on authenticating the person. Whether it's two-factor authentication, ID cards, biometrics, or whatever, there's a widespread myth that authenticating the person is the way to prevent these crimes. But once you understand that the problem is fraudulent transactions, you quickly realize that authenticating the person isn't the way to proceed...

Right now, the economic incentives result in financial institutions that are so eager to allow transactions -- new credit cards, cash transfers, whatever -- that they're not paying enough attention to fraudulent transactions. They've pushed the costs for fraud onto the merchants. But if they're liable for losses and damages to legitimate users, they'll pay more attention. And they'll mitigate the risks. Security can do all sorts of things, once the economic incentives to apply them are there.

By focusing on the fraudulent use of personal data, I do not mean to minimize the harm caused by third-party data and violations of privacy. I believe that the U.S. would be well-served by a comprehensive Data Protection Act like the European Union. However, I do not believe that a law of this type would significantly reduce the risk of fraudulent impersonation. To mitigate that risk, we need to concentrate on detecting and preventing fraudulent transactions. We need to make the entity that is in the best position to mitigate the risk to be responsible for that risk. And that means making the financial institutions liable for fraudulent transactions."

Identity theft solutions focus too much on authenticating the person? Actually you can probably read this all across to ID cards and translate the last 3 sentences thus, once we all do have ID cards:

To mitigate that risk, we need to concentrate on detecting and preventing [fraudulent transactions] terrorism. We need to make the entity that is in the best position to mitigate the risk to be responsible for that risk. And that means making the [financial institutions] government liable for [fraudulent transactions] terrorism. Ooops, I forgot. That's exactly what the UK government are afraid of. Hence the rush to manage the security theatre public relations battle, the ill thought out developments in law and the soundbite nonsense we hear trotted out in the current election campaign on the subject.

A disgruntled Comcast customer has sued them for passing her personal details to the RIAA, as a suspected files sharer. Her lawyer reckons "Comcast should respect the rights of privacy who pay them monthly bills"

Wednesday, April 13, 2005

The UK government have apparently silenced an online discussion about a hot topic within the higher education sector - "VLEs", that's "virtual learning environments" for the uninitiated. These are the information systems that universities have been (mostly) buying or building for so-called "elearning."

"A JISCMail discussion list on VLEs has really been suspended because it, and others, are apparently perceived as a 'clear and present danger' to the results of the forthcoming UK election. To quote:

"All services provided by non-departmental public bodies (such as Becta) must comply with the General Election Guidance issued by the Cabinet Office.""

As one of the HE anoraks with an interest in VLEs I find this kind of thing really irritating. I'll say no more.

Tuesday, April 12, 2005

David Bollier is pleased at the opening of the BBC's creative archive.

"Ah, but what about “piracy”? How’s this for a refreshing response by the BBC: “If we had started at the policing end we'd never have gotten anywhere with this. Where you've got to start from is, how do we make more content available? I believe this can be a win-win. UK license-fee payers get more access to our content, and having it out there also stimulates various commercial sales markets. I don't believe one has to detrimentally affect the other.”

There is a lot of momentum growing behind business models based on open-platform sharing. When will the powers that be recognize that the intellectual property/piracy dichotomy misses the point -- and begin to understand the new paradigm?"

Siva is concerned at the firing of a radio show host for airing "a clip of Condoleeza Rice’s nomination questioning" which he apparently recorded from C-SPAN off his own TV.

"The WRPI Executive Committee, which does much of the decision making for WRPI, heard from someone (not C-SPAN) who heard Karius’ Jan.19 show, saying that he improperly used material from C-SPAN. At a meeting of the E-Comm about a week later, the committee voted for his permanent removal as a result of “gross violation of federal copyright law and consequently WRPI’s policy.”...

Karius began contacting his scheduled guests. Then he set to researching copyright law. He is convinced he did not commit any offense by airing the excerpt. National copyright experts, and even C-SPAN’s own policies, say the same...

As long as the material Karius recorded and aired is within the public domain, he is free to use it as a radio host. “He did what any citizen can and may do. C-SPAN is our only source of the sounds of Congress, so we should feel free to use it for reporting and commentary,” Vaidhyanathan said...

Much of the WRPI Executive Committee is composed of RPI students who are not necessarily experts in the field of Federal Copyright Law. Indeed, Kaufman seemed confused about what was specifically violated and how, but said, “It is our interpretation, as well as the interpretation of RPI’s legal counsel and a lawyer specializing in communication, that the material aired by Dennis was a violation of C-SPAN’s intellectual property rights even though we are a public radio station.”

Karius said he understands why E-Comm was hypervigiliant. He said he did not want to damage WRPI’s reputation, and is still a supporter of the station. In Karius’ opinion, the reaction to his show was perhaps caused by the ever-increasing sensitivity of information and copyright issues."

The Washington Post says the Vatican is concerned about it's ability to protect the priate deliberations of the conclave to elect the new pope from high-tech enabled journalists, snoopers and general mischief makers.

They are right to be concerned. Given the huge incentives of a wide range of people to get the inside story of the conclave and the power of readily available snooping technologies, they will have their work cut out to prevent any leaks.

Michael Geist has been encouraging Canadian medics to take a serious look at the Canadian government's proposals for a new copyright law similar to the US's DMCA and the EU's 2001 copyright directive.

"Consider the potential impact on genetic research. Researchers seeking to obtain access to proprietary genetic databases could be forced to negotiate a licence from the database owner, despite user rights that would otherwise grant the right to access and use selected portions of the database content without prior approval...

The proposals would also harm the use of the Internet as an educational tool within Canada's medical schools. The federal government's copyright proposals contemplate reversing the decade-old policy of avoiding Internet licensing by creating a licensing system for Internet content that would create new restrictions to accessing online content. Although the proposals began with the laudable goal of increasing access while providing creators with appropriate compensation, by proposing a very narrow definition of what can be accessed without compensation, the plan would effectively force millions of Canadian students to pay for access to content that is otherwise publicly available.

Rather than adopting an approach that facilitates the use of the Internet, the government is moving toward a model that will force schools to pay to use Internet materials — contrary to the expectations of many creators. Canadian medical schools, which are struggling with 20th-century budgets to provide a 21st-century education, should call on the federal government to reject the proposal and instead adopt a balanced copyright approach that encourages the use of the Internet in Canadian schools."

The UK government are going ahead with the compulsory fingerprinting of passport applicants even without the cover of parliamentary "authority", which with the large Labour majority has been nothing more than a rubber stamp for the wishes of the executive, anyway.

"The home secretary Charles Clarke has authorised the passport service to acquire 70 new passport service offices across the country so that all adult applicants for new documents can be interviewed in person from next year. The service currently has seven offices.

The Home Office admits that the new network could also be used in future as identity card enrolment centres and the introduction of mandatory fingerprinting of passport applicants will form an important "building block" for the future ID card scheme."

So much for the election delaying the progress of the IS card white elephant. Well given the government have more people in the public services working on the non existant not yet approved ID card scheme that they have hi-tech crime unit police offices, I guess they didn't want all those civil servants to be at a loose end whilst the election campaign was going on. The Lib Dems have called the process an abuse of democracy.

This one won't lie down. Following a French appeal court ruling that Yahoo and their ex CEO were not criminally liable for selling nazi memorabilia, a US appeal court, according to the Center for Denocracy and Technology, has agreed to " reconsider an earlier decision restricting Yahoo's efforts to protect its lawful US publications from liability under French law. A French court had imposed fines on the U.S.-based Yahoo! for web site content that is lawful in the U.S. but illegal in France. A lower U.S. court held that enforcing the French fines would violate the U.S. First Amendment. An appeals court panel disagreed"

Charles Arthur at the Register ponders the fate of Fiona Apple's third album and how it illustrates the difficulties Sony are having with the digital age in entertainment.

"nobody wins. Fiona Apple's album goes mostly unheard. Sony gets no revenues from its being downloaded. And all because the idea of selling music online has to be made to fit into the strategies used for 90-odd years. You've adapted your job and your business to this interweb thing. But the record labels still think the Net should bow to their thinking.

Oh, and there's a final irony in it all. Sony, the company at the centre of all this, should be celebrating whoever wins that case. For it's arguing on both sides. That's right. Check the dockets at this page (http://washingtonpost.findlaw.com/supreme_court/docket/2004/march.html#04-480) and you'll find that one of the "petitioners" (http://news.findlaw.com/hdocs/docs/mpaa/petitioner12405brf.pdf) (379KB PDF) along with MGM is Sony Music.

Look further down at those "supporting respondents" (ie backing Grokster), and you'll find the Consumer Electronics Association's amicus brief (http://news.findlaw.com/hdocs/docs/mpaa/cea030105brf.pdf) (273KB PDF). And among the members of the CEA? Sony Electronics."

The BBC have heard about a course in Barcelona that was "set up by the Institute for Security and Open Methodologies (ISECOM), a non-profit computer security outfit that wants to make students streetwise to the hostile neighbourhood the internet can often be."

Donna reports that James Love has provided "(1) links to various countries' proposals for interpreting the Development Agenda and (2) a telling "scorecard" of key words in the proposals, providing an at-a-glance analysis of substantive slant."

"Canada is in the midst of a contentious copyright reform with advocates for stronger copyright protection maintaining that the Internet has led to widespread infringement that has harmed the economic interests of Canadian artists. The Canadian Recording Industry Association (CRIA) has emerged as the leading proponent of copyright reform, claiming that peer–to–peer file sharing has led to billions in lost sales in Canada.

This article examines CRIA’s claims by conducting an analysis of industry figures. It concludes that loss claims have been greatly exaggerated and challenges the contention that recent sales declines are primarily attributable to file–sharing activities. Moreover, the article assesses the financial impact of declining sales on Canadian artists, concluding that revenue collected through a private copying levy system already adequately compensates Canadian artists for the private copying that occurs on peer–to–peer networks."

"The report documents the legal thuggery the Monsanto corporation commits upon U.S. farmers – many of them totally innocent and unsuspecting – to enforce the patents on its genetically modified seeds. The company has turned the genetic commons into a corporate police state; and if that sounds inflammatory and extreme, then check out the report."

Interestingly enough, the European Patent Office have just concluded their review of biotech firm Syngenta's and Greenpeace's challenge to Monsanto's patenting of herbicide-resistant seeds on this side of the pond and declared the patents valid.

"P-to-P (peer-to-peer) file-trading enthusiasts like to rant about the draconian steps taken by groups like the RIAA (Recording Industry Association of America) to enforce laws protecting their intellectual property rights, by shutting down distribution systems like the original Napster. But can those enthusiasts be organized into an influential grassroots organizing force?

The founders of CopyNight hope that the answer is "yes," and that social gatherings can ferment political activism."

Another piratical business model built on the blood, sweat and tears of the entertainment industry.

Sir Alec Jeffreys, who discovered DNA fingerprinting, has called for the creation of a database which would contain the DNA details of everyone in the world.

"At a lecture on Saturday to mark the 20th anniversary of the discovery of DNA fingerprinting, Professor Sir Alec Jeffreys, of Leicester University, said a global DNA database would have been invaluable in attempting to identify victims of the recent tsunami. Instead, investigators faced endless searches through incomplete records, or having to cause further distress to relatives of the victims."

He suggests that access and use of such a database should be strictly controlled and has serious criticisms, for example, of the UK criminal DNA database. If the existing UK scheme, used for limited purposes (law enforcement) and miniscule by comparison with the proposed database, has so many problems, though, how could such a database possibly work in practice?

What problem are you trying to solve?A: Identifying victims in case of disaster (and other unspecified noble objectives)

How many other problems can it cause?Quite a few, similar to the national ID card scheme. Tens of thousands, if not millions of people have to have access to the system and some of them will have malign intentions. How can the database fail naturally (through errors in entries etc) and how can it be made to fail (eg deliberate falsification of records) leading to erroneous identification of victims. Function creep - once such a database exists, the temptation to use it for other things becomes irresistible. How do we know this? Because it already happens

How much does it cost?Well the UK national Id card scheme is currently pegged at between £3 billion and £11 billion. A database a thousand times as big may cost a thousand times as much again, though economists would, no doubt berate me for making such a simplistic jump, not taking into account economies of scale on the positive side and the negative effects of collating international collaboration on a global scale.